Tuesday, September 20, 2011

Japan, US Defense Industries Among Targeted Entities in Latest Attack

Via TrendMicro Malware Blog -

Trend Micro has uncovered a campaign of targeted attacks that have successfully compromised defense industry companies in Japan, Israel, India and the USA. We have been able to identify eight victims of this attack and are in the process of notifying them. In total, the attackers compromised 32 computers; however, there were multiple compromises at several locations. This network has been active since July 2011 and is continuing to send out malicious documents in an attempt to compromise additional targets.

We have analyzed a sample that connects to the same command-and-control (C&C) server in this targeted attack. We also analyzed the second stage malware used by the attackers that was built specifically for one of the targeted companies as well as a remote access Trojan (RAT) used by the attackers.

[...]

While this network has managed to compromise a relatively small number of victims, there is a high concentration of defense industry companies among the victims. Moreover, the fact that specific malware components are created for specific victims indicates a level of intentionality among the attackers.


--------------------------------------------------------------------------------------------

This investigation of an APT attack by TendMicro, may or *may not" be related to the recent reports of a suspected APT attack against Mitsubishi Heavy Industries (MHI) - Japan’s primary defense contractor.

The attack sequence outlined by TrendMicro seems to follow the common narrative of an APT attack in its initial stages....

  1. E-mails with malicious attachments (PDF), exploiting a vuln in specific versions of Adobe Flash and Reader are sent and opened by targeted vicitims.
  2. Dropped malware connects to C&C, and send some systeminfo then awaits commands.
  3. Attackers command malware to report back network information (local IP, subnet) and file names in specified directories.
  4. Attackers used foothold malware to download custom DLLs onto the comprised hosts of only certain target companies.
  5. Attackers issue commands for compromised computer to download tools which allow for lateral movement of the network using valid credentials (pass-the-hash tools).
  6. Once on the network, attackers drop a Remote Access Tool/Trojan (RAT) onto compromised system to allow real-time control of the compromised system.

No comments:

Post a Comment